Under the General Data Protection Regulation (GDPR), a public authority is subject to different requirements than other companies—so for higher education, it’s important to understand where colleges and universities are categorized.
What is a public authority?
A public authority is broadly defined as a public, state, or government organization. If that’s not broad enough, here are a number of definitions that attempt to define what a public authority is without ever reaching universal agreement.
“Public authorities are agencies created by governments to engage directly in the economy for public purposes. They differ from standard agencies in that they operate outside the administrative framework of democratically accountable government.”
“Public authorities—variously also known as public corporations, administrations, boards, trusts, agencies, or a slew of other monikers—are ‘revenue-producing, administratively independent units,’ conjured into existence by legislatures and assigned to furnish particular goods and services (p. 4). They range in size and scope from the Springfield Parking Authority to Fannie Mae and the Tennessee Valley Authority.”
Further, “It is often assumed that universities are public authorities for the purpose of legislation. However, the case law on this issue is conflicting, making it difficult to identify with certainty whether universities are public authorities or not.”
Wisconsin, in 2011, proposed legislation within its state that would give the university more freedom but, “make it a public authority” — indicating that, at that time, it wasn’t officially viewed as a public authority. However, the existence of extensive state regulations and mandates of colleges and universities, as well as the fact that they are designed to serve the public need and eligible for government financing/funding might indicate that they are — per certain other definitions — already a public authority.
In the UK, “academy trusts are already designated as public authorities for the purposes of Freedom of Information Act queries. There is no separate definition of a ‘public authority’ in the GDPR and whilst the government has power to redefine particular organisations and remove public authority status for the purposes of GDPR it has expressed no intention to do so for academies.”
How to decide if a university is a public authority?
Even though legislation in the UK may recognize universities as a public authority, the GDPR does not give “an autonomous definition of public authority. For organisations, it is national law – and not EU law – that will determine if they must be considered public authorities for the purposes of the GDPR.”
What are the implications of a university being a public authority under the GDPR?
As a public authority, universities must appoint a data protection office (DPO) and if outside the EU, a data protection representative (DPR) within the EU.
As mentioned, the rules for processing data under the GDPR are different for public authorities. According to Sue King, legal partner at a UK law firm, colleges and universities viewed as public authorities “will have additional hurdles to overcome if seeking to rely on (1) consent and in any event cannot rely on (5), legitimate interests.” (see her article for more information)
What to do now?
In order to be compliant with the GDPR and avoid potential penalties, it’s crucial to know whether your organization is viewed as a public authority, and then comply accordingly. As the regulation is dependent on local interpretation ‘public authority’, it’s best to find out how your state views universities and colleges, as well as also keeping an eye on any national standard that may come about due to increased interest and need.